Why 64 signatures not checked and no ultimately trusted keys found here: $ gpg --import key-DA87E80D6294BE9B.txt gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
And this: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. This is weird. Why Fedora does not have this, but Debian does. And can you explain to me what is it, please? On Thu, Jul 11, 2024 at 4:00 AM Lee <[email protected]> wrote: > On Wed, Jul 10, 2024 at 6:07 PM 타토카 <[email protected]> wrote: > > > > Hello, dear Debian Community. > > > > I just wanted to check a key with GPG. > > > > I have found this on https://www.debian.org/CD/verify: > > > > pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC] > > > > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > > > > uid Debian CD signing key <[email protected]> > > > > > > How can I download this key for GPG checking? > > Click on the link, that takes you to > https://www.debian.org/CD/key-DA87E80D6294BE9B.txt > and save the file. Then gpg --import it > > $ gpg --import key-DA87E80D6294BE9B.txt > gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys > gpg: key DA87E80D6294BE9B: public key "Debian CD signing key > <[email protected]>" imported > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: no ultimately trusted keys found > > hrmmm... 64 signatures not checked due to missing keys due to missing > keys doesn't look good, but you've got the key now. > > I checked by going to > http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got > the SHA512SUMS and SHA512SUMS.sign files. > Verify them by > > $ gpg --verify SHA512SUMS.sign SHA512SUMS > gpg: Signature made Sat Jun 29 16:50:24 2024 EDT > gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B > gpg: Good signature from "Debian CD signing key > <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > > so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I > can verify.. somebody else hopefully knows how to get all the missing > keys and mark the DA87E80D6294BE9B key as trusted. > > and for whatever it's worth, I use these aliases: > $ alias | grep sha > alias sha1='/usr/bin/openssl dgst -sha1 ' > alias sha256='/usr/bin/openssl dgst -sha256 ' > alias sha512='/usr/bin/openssl dgst -sha512 ' > > Regards, > Lee >
